Welcome to the new Becker-Posner Blog, maintained by the University of Chicago Law School.

08/07/2011

The Challenge of Cyberwarfare and Cyberspying -Becker

In May 2010 the US military appointed its first four-star general to direct its defensive and offensive capabilities in cyber warfare. China, Russia, and other major countries also have increased their skills in this new kind of warfare. All major banks and other companies, such as Google, continue to upgrade their protection against breaches of their information and computer network systems. The increasing dependence of both modern economies and modern weaponry on computer-based networks and online storage of information explains the rapid expansion of programs to repel cyber attacks, and to provide armies with significant offensive cyber capabilities.

Of course, modern warfare still relies on large numbers of combat military personnel. But the architecture of the military has become increasingly computer-based, with online communications, information storage, and other essential components that use cyberspace, or can be disrupted through attacks from cyberspace. Countries at war would gain an enormous military advantage if they could shut down the computer-networks of their adversaries for even a few hours.

Larger companies in developing as well as developed countries rely increasingly on the Internet and computer networks. Valuable information can be stolen, privacy of customers compromised, and internal and external communication made much more difficult when these systems get breached.

Warfare and espionage against government and private targets are not just hypothetical possibilities. After gaining independence from the Soviet Union in 1991, Estonia became a technologically sophisticated nation where the great majority of Estonians had access to the Internet, and much business was conducted online. Estonia suffered one of the first cyber attacks on a whole nation for a couple of weeks in 2007. Computer robot networks seized control over huge numbers of computers from many other countries, and used them to attack different targets in Estonia. These attacks crippled activities by the Estonian government, banks, and other businesses. Suspicion focused on the Russian government as the source of these attacks, but this could not be conclusively proved.

Georgia suffered severe cyber attacks slightly before the Russian invasion of Georgia in 2008. The attacks hit government websites, the media, banks, and other businesses. Georgia was more backward than Estonia, so these attacks on Georgia did not cause as much devastation as the earlier ones on Estonia, but they still inflicted considerable harm for a while. The timing and other evidence suggested again that Russia was behind these attacks, but no conclusive evidence could substantiate this belief.

Almost every day another company admits that its computer and online security systems has been breached. Often the attackers turn out to be hackers who just enjoy showing they can defeat even top of the line security firewalls. The culprits are sometimes criminals who seek information, such as credit card names and passwords, which they can use for financial gain. The hackers may also be governments that spy on companies in the hope of acquiring valuable proprietary information.

This week the American cybersecurity company McAfee issued a report that claims to identify a single government perpetrator (alleged to be China) of large numbers of cyberattacks on other governments, companies, and even the United Nations. So far their claims have not been confirmed.

Combating cyberwarfare and cyberspying faces several unique challenges. Since cyberspace is not owned by any nation, and is easily accessed by billions of individuals and companies, it is often very difficult to get clear evidence about who is responsible for cyberattacks, such as the attack last year on Google’s source code, or the earlier attack on Estonia. Are they from governments that are probing for state and business secrets, or from private hackers seeking publicity, or valuable information that they can use for financial gain? If the source of the attack cannot be identified with much confidence, it is hard to establish a credible system of deterrence.

A second major challenge is the intrinsic vulnerability of many Internet and computer network systems. It has long been recognized that foolproof security systems do not exist, whether they be vaults, safes, identifications for checking accounts, or other traditional forms of protecting valuable assets. Any security system that protects information will generate efforts to access that information, including sometimes efforts by individuals who helped design these systems.

Since security systems that protect information in cyberspace are even more vulnerable, continuing battles take place against public and private hackers who probe for weaknesses in these systems. No company or government can ever hope to have a cyber-based system that cannot be breached, but they can make breaching more difficult.

The development of clearer international law about hacking would help deter attacks in cyberspace by private individuals and groups. Cyberattacks on military targets might be also brought before international tribunals, but countries have to prepare their own responses. These responses include cyber and other retaliations against cyberattacks during both wartime and peacetime on vital military network and information systems.

The growth of the cyber threat has risen in parallel with global internet usage. Online development happens so quickly that, at present, those who seek to intrude upon online systems have an advantage over those who are trying to protect them. Cyber-espionage is highly targeted, so protection should be greatest around information that has the highest value to outsiders.
Enterprises are not taking the threat of cyber espionage seriously enough, and many have not taken adequate steps to prevent an attack. The threat of cyber espionage must be addressed by enterprises as it is as relevant to them as it is to national security organisations.

Not much to add on this one. Observer/Munger have a strong point in the "better cash register" theory....... but pre-computer embezzlement was typically very localized and of no threat to any overall system.

Today, we've the triple threats of 1. embezzlement 2.ID theft and 3. the whole area of security threat from terrorists (or fairly sick pranksters) taking down the grid or hacking a nukie installation to military secrets etc.

There's bound to be advancements in the "better cash register" but trouble is they all rely on a "key" typically a secret code that can be hacked, or can be "lost" or given away by one of the trustees.

The military, and the diplomats, may have to get used to there being less privacy.

Except for actual battle plan troop movements, which probably can be protected, it may not be all bad for the miltaries of the world and the diplomats to known more about weapons development etc.

And? some positives? I've LONG favored banning nukes, and making the factors of production and delivery international contraband. In the "USSR" days, perhaps, there was not the means to verify compliance. Today? I'd expect the military knows of most nuke projects, and the anonymity of the internet and "hackers" could help rat out the rest.

Once we've become civilized enough (as so many RETIRED generals have) to rapidly "build them down to zero" with a fair sized army of inspectors and lucrative "Rewards for info leading to........." we should all be much safer at FAR lower costs.

Any guesses here, as to what building, protecting, dismantling nukes costs us each year? More than $100 billion?

Some economists have reported the "speculation premium" on gasoline at the pump as being 83 cents/gallon. ...... about what I'd have guessed from oil co spokesmen having stated prices in the $50 range would cover most exploration and development.

http://www.californiaprogressreport.com/site/node/9125

..... Question: As it IS becoming more apparent that speculation is increasing our costs by such untenable margins......... WHY do we tolerate such an "inefficient" (rigged) market?

This is certainly happening in food prices as well.

But! Haha! IF we believe "markets" will eventually self-correct there's another round of our fellow citizens being beaten and robbed. How many brokers and "advisers" have we heard or read in recent years who are "putting their clients IN commodities?" Just as if taking a speculative, zero sum, "position" (feel free to use your imagination) "In commodities" was the same as investing in the future gains of a productive enterprise.

There's bound to be advancements in the "better cash register" but trouble is they all rely on a "key" typically a secret code that can be hacked, or can be "lost" or given away by one of the trustees....I really appreciate your post and you explain each and every point very well.Thanks for sharing this information...

Over the past ten years, a lot of work has been done on the economics of information security. Modern systems tend to have many stakeholders, who may be competitors or even in conflict; security often fails because the person who does the maintenance isn't the person who pays the cost of failure. But that's just the start. The field has many fascinating examples of asymmetric information, network and other externalities, agency effects and behavioural twists. For survey papers and links to recent research, see

Riots might be less common here because of the social and spatial distancing that protects people from marauders but also prevents people from forming organic communities with any semblance of a common social life that Europe continues to enjoy--at least for now.